The Native Domain of Agentic Engineering

Static analysis, the discipline of what we can know about a program from its source code, is the rare domain in which both the tool and the subject are the same material: code. That dual relationship compounds the benefits of agentic software engineering in ways that are hard to find elsewhere. For NightVision, this isn't theoretical speculation, it's the reason that a small engineering team can develop API eNVy into a powerful system for API discovery and security with capabilities that weren't previously practical.

Agents can help build great static analysis

Large language models are trained extensively on source code. This creates a double benefit in the domain of static analysis. An agent understands the analysis (AST traversal, language interpretation, framework models) and the subject (the application source being analyzed). It can reason about the properties of a codebase and understand how it recognizes those properties, and it can translate those insights into the logic of traditional, deterministic static analysis.

At NightVision, we are building comprehensive static analysis tools for API discovery to complement our best-in-class Dynamic Application Security Testing (DAST) tools. Supported by extensive evals (unit tests, open-source benchmark applications, and yes, static analysis tools) and persistent memory systems (skills, documentation, git history), AI agents are enabling us to take these tools farther than we could have imagined a few months ago.

Static analysis is a great tool for agents

Agents don't just improve static analysis... they need it. Intelligence is the headline capability of LLMs, but tool use has been the truly revolutionary component. And what is grep but the most basic of static analysis tools? LSPs (implementations of the Language Server Protocol) provide instant feedback that alerts agents to basic errors as soon as they are introduced. Static analysis tools are becoming essential infrastructure for agentic workflows.

As the tasks we delegate become larger in breadth and depth, agents can save tokens by wielding advanced static analysis tools to retrieve sound, focused data describing a codebase, before they load a single byte of that codebase into context. Developers can use static analysis tools to validate that agent-generated code adheres to a specification. API eNVy's analysis of API surfaces serves this dual purpose: feedback in the agentic evaluation loop, and visibility into the code that agents produce.

Practical agentic engineering

Deliberate construction of the agent's environment is needed for advanced engineering tasks. At NightVision, we've been building that infrastructure around our codebases.

Organizational workflows. Agents need to know how the team works: commit conventions, PR expectations, issue tracking workflows. We encode these as development skills: structured guides for commit organization, PR workflows, issue tracking, and product documentation. When an agent's output follows organizational conventions, the codebase remains legible by both humans and agents.

Project-specific memory. A general-purpose agent doesn't know your architecture, your data model, or the patterns that make the codebase work. A library of skills documenting the project is the difference between an agent that can tack on functionality and one that integrates features that advance the system.

Sandboxing. Some tasks are well-specified enough for unsupervised work, for example, implementing a new framework processor, adding test coverage, refactoring a module. We run these tasks in Docker-based sandboxes with unrestricted local permissions and read-only credentials for external systems. The agent can plan, edit, build, test, and commit freely within the sandbox. It cannot push, post, or comment to external systems. This setup enables deep investigation and first-pass implementation of complex features without tying up the human operator.

Archiving and auditing. Every agent session produces a full local transcript¹. We aggregate these into a searchable interface that gives engineering teams visibility into agent activity. A global view of agent history is essential for searching and reviewing the ever-increasing torrent of development that agents are producing.

Testing, testing and more testing. In agentic development, tests are the mechanism the agent uses to confirm its own understanding, so the quality of the feedback loop determines how much autonomy you can safely grant. LLMs happen to be fabulous at generating minimal working examples of applications demonstrating standard web framework usage: the exact kind of test that API eNVy needs to validate functionality.

¹ By default, Claude Code deletes your local session history after 30 days; use the cleanupPeriodDays setting to keep it longer.

We are excited to build

API eNVy delivers deterministic, source-traceable API inventory. Agentic engineering is helping to extend those capabilities deeper into the application logic, across dependency and configuration boundaries, and onward to support additional languages and frameworks. We are excited to push the limits of what's possible with static analysis for API discovery, and to provide these tools to both agents and engineers to help understand and secure what they produce.

‍